Ed Vaizey says Cookie Directive is meaningless

Today’s advice from DCMS shows that the UK has no intention of implementing any form of meaningful consent for tracking from advertising companies.

Today, more or less every Internet user is spied on by advertising companies, who use cookies to see what sites you visit, create a profile about your interests and then serve adverts to reflect these interests.

Cookies weren’t meant to be used like this. They were designed to help a website know if you’d logged in, or placed items in a shopping basket, by tracking who you were. Unfortunately this tracking has been extended to profile your movements around commercial sites purely to help advertisers.

Because profiling people’s interests without consent is morally reprehensible, and an attack on our fundamental right to privacy, the EU chose to legislate to require consent. The new “Cookie” Directive however, omitted the word “prior” from the definition of consent. Advertisers – and now the UK government – are arguing that “browser settings may give consumers a way to indicate their consent to cookies.”

However, Ed Vaizey states:

in its natural usage ‘consent’ rarely refers to a permission given after the action for which consent is being sought has been taken. This absolutely does not preclude a regulatory approach that recognises that in certain circumstances it is impracticable to obtain consent prior to processing.

That is, basically, forget it. Consent is impractical, so is implied by your browser settings when you permit cookies, so you’ve agreed to be profiled.

Comments (25)

I understand your point in one respect (the idea of consenting to have information about yourself used by a company is entirely fair and right) but I would take the stance that if you do not wish for whatever reason for advertisers to advertise to you products your are more likely to be interested in then you already have the ability to opt out with a variety of permissions setting on your browser. I am of the opinion that everything you do online outside of SSL secured areas is free for all to see in the way everything you do in the real world outside of your house is free for all to see, I even quite like that I get served with adverts for new cameras and design related subjects (as this is my job) and not with say exercise equipment or feminine products. Advertising is part of the culture we live in and most educated people are aware of when they are being advertised to advertisers having information regarding what we like and don't like is hardly the biggest breach of our liberties currently in progress.

“browser settings may give consumers a way to indicate their consent to cookies.”

Well, that's what Do Not Track is all about. http://donottrack.us/ In the few short months since Mozilla introduced it, it's been implemented by every browser except Chrome.

You can either spend years arguing that tracking should be opt-in (which, in a perfect world, would probably be true), or you can spend the time and effort on encouraging people to switch on DNT. I suspect the latter course will be more fruitful than the former.

I take your point, although I would just say that Do Not Track is designed in the USA where there is no legal presumption of privacy. In Europe, both the fundamental right to privacy and the data protection laws built on it are very clear about needing prior consent to do something which is otherwise protected by your right to privacy. ORG is worried about the erosion of that principle which seems to be taking place in this legislation, and its interpretation.

If they hadn't done such a terrible job of drafting the legislation, businesses would probably have less objections to implementing it. As a web developer it's still unclear to me how I'm supposed to legally implement various standard user-experience tailoring features now. The law should have been more accurately and precisely targeted, then there would be more co-operation from within the web development industry. As it stands, I'm on several mailing lists where people are saying "Compliance with this is, in practical terms, impossible - I'm just going to ignore it". They're not malicious people, they're not tracking anyone for anything other than to make individual websites work as users expect them to. This law is either going to be ignored, or it's going to put UK web developers (and/or their clients) at a noticeable business disadvantage. :(

Hi Denny, it's clear that the Directive is both unclear and somewhat misunderstood. It doesn't target general cookies, as some people have assumed, but, the Commission says, in the case of “data not related to the service currently accessed by the user, the new rules require Member States to ensure users have given their consent before such data is stored or accessed.”

if they are as you say “not tracking anyone for anything other than to make individual websites work as users expect them to” then they shouldn't be affected by the Directive in any way.

The same advice exempts "cookies that directly relate to the provision of a service explicitly requested by the user". I think it's the definition of 'explicitly' that's worrying people - there would seem to be a potential middle-ground not clearly covered by either the exempt or non-exempt advice. As you say, it's all a bit unclear. Although they do seem to have added 'language prefs' to the list of examples for exemption now, which is promising from my point of view (that and accessibility options were two of the things I was most concerned about, and they seem safer now).

That said, I'm still worried about the UK's interpretation of the Directive (I assume the Directive has to be implemented by a corresponding UK Act). Parliament's ignorance on technical issues could lead to all kinds of devil in the details... particularly where the Directive is not absolutely clear in its intent.

(I should disclaim that I'm commenting in a personal capacity, not as a member of the ORG Advisory Council and not on behalf of my employer.)

Thankfully(?) this is the kind of Directive that gets transposed into UK law by Secondary Legislation, rather than Primary Legislation (so a Statutory Instrument, rather than an Act). So Parliament won't have a say in the wording — they can either accept the DCMS's proposed wording or reject it wholesale, not bicker about that jot and this tittle.

I really find this position difficult to understand. Cookies technologically not only require your consent, they require your active cooperation, as your browser has to volunteer the cookie every time it makes a request. Do Not Track sounds like a fine idea if it can have the force of law; that's not going to happen for users in every country. But fundamentally, your browser is actively doing something that you don't want it to do. It's the browser's responsibility to make it easier to not actively cooperate with advertisers you don't want to be tracked by.

In bizarro-world, mobile phones might be configured to automatically reply to SMS spam, costing you credit. There are many good reasons to outlaw SMS spam, but the real solution to this problem would clearly be to make your phone stop doing that. If that is not easy to do, we should make better phones.

There are more insidious forms of tracking based on checking browser versions, screen resolutions, etc. which don't require your browser's active cooperation; in these cases, obviously ceasing to cooperate is not an available solution so my argument does not apply.

Don't most browsers now have 'accept all cookies', 'accept only cookies from the site I'm on', and 'accept no cookies', with the default being the first? If I'm remembering that correctly, then pressuring browser distributors to change that default to the middle one might be the fastest effective action to take...

Actually, you wrote "accept" rather than "send" -- but the longer answer is: vast quantities of research have gone into ways of browsers being able to sort out the bad uses of cookies from the good ones (i.e. ones people want, and will complain if it doesn't work). And no-one has come up with one yet.

I think there's a strong case for saying that the Facebook 'like' button on external sites is at least as serious a privacy concern as Google Analytics (which is what most people favouring this legislation seem to be focusing on).

Exactly so. Facebook – without your consent – follows your progress around the web, wherever their widget is installed. That isn’t “necessary for the operation of a website”, it should require prior consent, and the widget could do its’ job without the tracking.

Speaking purely hypothetically, and not endorsing any position on the matter, I would guess that Facebook would argue that the Like button (and its other social plugins) would do their job much less effectively if it weren't allowed to store that users are logged in and, thus, incentivise the Like buttons with facepiles and text saying which of your friends already Like whatever it is.

Indeed, were it not for the change in this Directive, I'd guess they already argue that the user has implicitly given consent by remaining logged into Facebook after leaving the site.

Your comment system is broken. I tried ten times and it kept telling me I entered the CAPTCHA incorrectly. Then I tried entering an email address into the Email: field and it worked fine. If the error is that I didn't enter an email address, it should not tell me instead that I entered the CAPTCHA incorrectly. Anyway, why do I need an email address?

Re the guy who wants to teach everyone to opt out - dream on. Some geeks don't realise 90% of people never dream of fiddling with browser settings, even if they find out they're there.. in ITaly most teenagers think Facebook is the entirety of the Internet. We are not in JPB's Kansas now.

Denny - PECR r 6(4) (which you obviously know about, congrats) is designed to meet your needs re "just making the system work". If it doesn't fall within it, that's deliberate - to stop developers (as is currently industry practice) taking the easiest most privacy invasive way to design a system. 6(4)(a) is not well defined but the principle is good. This is only the beginning - bring on Privacy by Design in reforms of the DPD proper. I sympathise though with anyone attenpting to implement the hopeless shambles which is the UK's attempt to dig itself into a hole and keep digging.

The EU Directive seems (possibly, it's unclear to me and many others) to be correctly worded to allow 'normal' functionality-enhancing cookie usage. However, the UK/ICO interpretation of this seems to be far more restrictive. From the ICO guidance:
"This might include, for example, being asked to agree to a cookie being used for a particular service, such as remembering your preferences on a site."

That's in direct contradiction of the EU guidance I quoted earlier, which states that (for example) language preference settings do not require explicit prior consent for a cookie to be set. It's this kind of inconsistency which is worrying the web developers I know.

Speaking of cookies and UX enhancements, is there any particular reason the comment system on this blog doesn't offer to save my name/email/website instead of my having to type it in again each time I post? (And if it did offer that feature, would it now need "(selecting this option will set a cookie on your machine - more information can be found in our [privacy policy])" next to the 'Remember me' tickbox?) :)

I am also puzzled by this concept of getting consent after the fact. Is that like Schroedinger's legislation? Your actions are in a sort of quantum state of legal and illegal at the same time and you don't know until you ask for consent later? That really does not make any sense at all. By that logic I can defend any use of cookies with the "I sincerely hope that one day the users will consent to this retrospectively"...

I'm guessing (wildly) that the intention here is something like "You can set a cookie prior to obtaining consent, as long as you do immediately then request consent, and remove the cookie if consent is refused". Maybe.

(See also: "It's easier to ask for forgiveness than it is to get permission.")

They don’t know is the short answer. Behavioural advertising previously argued that there is a general “implied” consent from allowing cookies. Now browser settings may be accepted as some sort of informed consent, on the basis that people will be educated about this. Basically, it is nonsense, but the government and regulators do not wish to upset the handful of businesses that make fairly large amounts of money currently. Not that they'd necessarily make so much less if they weren’t profiling people.

Surely the facebook like button cookies would be exempt because they are "strictly necessary" for the provision of a service "explicitly requested" by the user. This means that if a user is clicking the like button then they are requesting a service from facebook. In order to log the user in to their facebook account they have to use cookies. The FB cookies aren't set until a user clicks the button. Only facebook get the information about the user not the website owner. So where’s the problem. As for Google Analytics I personally don't see how this breaches a user’s privacy because there is no personally identifiable information seen by the website owner or Google and tracking stops when they leave the site. If people don’t like being tracked then they should stay off the internet. It’s a fact that tracking is here and it’s here to stay. It’s like asking the Government to abolish all CCTV cameras. It won’t happen and neither will the stopping of cookies. Also I think Ed Vaisey remembers the days when every time you went online you kept getting pestered by pop ups about cookies. He and the Government don’t want that this to happen again because it ruined the browsing experience. They are working with browser developers to find a way to implement a do not track button of some sort. Having pop ups= ruined browsing experience= Very annoyed user. The settings are there if you don’t like cookies then use your settings. I don’t think businesses should have to do anything because the user already has the option to do something. So let the businesses carry out their business activities while you learn how to disable cookies in your browser.

On Facebook, there are two different scenarios, to my mind. If you sign up to FB, they can probably make it a term of service that you will be tracked across the web, and you can agree that, and everything's legal, if rather assymetric.

If on the other hand you are not a Facebook user, and haven't agreed to be tracked, then you shouldn't be. The widget tracking is not strictly necessary to a webpage, even if the widget is. I think it is unclear currently the extent to which facebook does track you, as logged in, not logged in, and not registered.

On pop-ups or other explicit permissions, there are only a handful of services that need to request to track, be told yes or no, which can then work out how not to annoy users. The objection from these services is not really customer inconvenience, it is that fewer people would opt in to being spied on, and they would make less money.

There should be a compulsory principal of "Opt In", with prior full disclosure of terms and use of data.

It's not just tracking that is a problem it's what is done with the data.

In my families case, Google tracked some card purchases and then tied the card details to the Google work account (due to working from home), now others in work (who I delegate to) get to see personal card related data. There was no explicit consent to tie in this personal data.

Paypal causes problems by linking a shared card account to one single account, this means legitimate purchases by another are blocked. Thus the other person is forced to use a different card. There was no explicit consent for Paypal to tie the card to one account only.

In work we've looked at this long and hard, the solution we are implementing is the Share Button, this only tracks the links you send through Face Book to others, not the other pages you may visit.

Web Pages linking to another are called the Referrer and the referrer URL has always (since the beginning of the web) been passed to the linked page server when you click the link, thus using the Share Button, changes nothing, it's the best we can do.

Open Rights Group exists to preserve and promote your rights in the digital age. We are funded by thousands of people like you. We are based in London, United Kingdom. Open Rights is a non-profit company limited by Guarantee, registered in England
and Wales no. 05581537.